umbral | 3acef42e6894019c44addea96a3ef2048b7b0f902b805c2e8d093db549091297

Analysis

max time kernel
45s
max time network
46s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
07-09-2024 15:34

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Rust AntiCheat.exe
Size

1.1MB
MD5

9b044bfee63da32d66539cd56741e2d7
SHA1

22b313baac54ea88cb581347d7226073033cb64c
SHA256

3acef42e6894019c44addea96a3ef2048b7b0f902b805c2e8d093db549091297
SHA512

f0cf4ef7516a7227a92ad9e098661f2683e07418cce2473851eaa6deb3c1db4859d9ce50f1615288e28c668b69fefb9ba1c2069dc2fe84c54a97616cf7ba7876
SSDEEP

24576:7cM0t9RyT52bxGzz9qshXGFh9jvTXZbX5y4h1ptssmnt:ArRyT529KXgh9btbXJbGsmt

Score

10^/10

umbral xworm discovery execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

expected-schema.gl.at.ply.gg:2980

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe

Extracted

Family

umbral

https://ptb.discord.com/api/webhooks/1271826116721639445/0LTa3NkwRKKJuRNql7cAkLRG6HVFF6qerOeff_MVz-9g28SPb06nhaG45QDZdp1IGvu2

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000800000001ac41-15.dat	family_umbral
behavioral2/memory/428-18-0x0000027280B40000-0x0000027280B80000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000800000001ac3e-12.dat	family_xworm
behavioral2/memory/3804-17-0x0000000000550000-0x000000000056C000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3724	powershell.exe
3344	powershell.exe
2696	powershell.exe
1388	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	RuntimeBroker.exe

Executes dropped EXE 3 IoCs

pid	Process
2168	Loader (1).exe
3804	RuntimeBroker.exe
428	Umbral.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\Users\\Admin\\AppData\\Local\\RuntimeBroker"	RuntimeBroker.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader (1).exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1388	powershell.exe
1388	powershell.exe
1388	powershell.exe
3724	powershell.exe
3724	powershell.exe
3724	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
3804	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3804	RuntimeBroker.exe
Token: SeDebugPrivilege	428	Umbral.exe
Token: SeIncreaseQuotaPrivilege	4576	wmic.exe
Token: SeSecurityPrivilege	4576	wmic.exe
Token: SeTakeOwnershipPrivilege	4576	wmic.exe
Token: SeLoadDriverPrivilege	4576	wmic.exe
Token: SeSystemProfilePrivilege	4576	wmic.exe
Token: SeSystemtimePrivilege	4576	wmic.exe
Token: SeProfSingleProcessPrivilege	4576	wmic.exe
Token: SeIncBasePriorityPrivilege	4576	wmic.exe
Token: SeCreatePagefilePrivilege	4576	wmic.exe
Token: SeBackupPrivilege	4576	wmic.exe
Token: SeRestorePrivilege	4576	wmic.exe
Token: SeShutdownPrivilege	4576	wmic.exe
Token: SeDebugPrivilege	4576	wmic.exe
Token: SeSystemEnvironmentPrivilege	4576	wmic.exe
Token: SeRemoteShutdownPrivilege	4576	wmic.exe
Token: SeUndockPrivilege	4576	wmic.exe
Token: SeManageVolumePrivilege	4576	wmic.exe
Token: 33	4576	wmic.exe
Token: 34	4576	wmic.exe
Token: 35	4576	wmic.exe
Token: 36	4576	wmic.exe
Token: SeIncreaseQuotaPrivilege	4576	wmic.exe
Token: SeSecurityPrivilege	4576	wmic.exe
Token: SeTakeOwnershipPrivilege	4576	wmic.exe
Token: SeLoadDriverPrivilege	4576	wmic.exe
Token: SeSystemProfilePrivilege	4576	wmic.exe
Token: SeSystemtimePrivilege	4576	wmic.exe
Token: SeProfSingleProcessPrivilege	4576	wmic.exe
Token: SeIncBasePriorityPrivilege	4576	wmic.exe
Token: SeCreatePagefilePrivilege	4576	wmic.exe
Token: SeBackupPrivilege	4576	wmic.exe
Token: SeRestorePrivilege	4576	wmic.exe
Token: SeShutdownPrivilege	4576	wmic.exe
Token: SeDebugPrivilege	4576	wmic.exe
Token: SeSystemEnvironmentPrivilege	4576	wmic.exe
Token: SeRemoteShutdownPrivilege	4576	wmic.exe
Token: SeUndockPrivilege	4576	wmic.exe
Token: SeManageVolumePrivilege	4576	wmic.exe
Token: 33	4576	wmic.exe
Token: 34	4576	wmic.exe
Token: 35	4576	wmic.exe
Token: 36	4576	wmic.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeIncreaseQuotaPrivilege	1388	powershell.exe
Token: SeSecurityPrivilege	1388	powershell.exe
Token: SeTakeOwnershipPrivilege	1388	powershell.exe
Token: SeLoadDriverPrivilege	1388	powershell.exe
Token: SeSystemProfilePrivilege	1388	powershell.exe
Token: SeSystemtimePrivilege	1388	powershell.exe
Token: SeProfSingleProcessPrivilege	1388	powershell.exe
Token: SeIncBasePriorityPrivilege	1388	powershell.exe
Token: SeCreatePagefilePrivilege	1388	powershell.exe
Token: SeBackupPrivilege	1388	powershell.exe
Token: SeRestorePrivilege	1388	powershell.exe
Token: SeShutdownPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeSystemEnvironmentPrivilege	1388	powershell.exe
Token: SeRemoteShutdownPrivilege	1388	powershell.exe
Token: SeUndockPrivilege	1388	powershell.exe
Token: SeManageVolumePrivilege	1388	powershell.exe
Token: 33	1388	powershell.exe
Token: 34	1388	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3804	RuntimeBroker.exe
3544	LogonUI.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2168	2768	Rust AntiCheat.exe	73
PID 2768 wrote to memory of 2168	2768	Rust AntiCheat.exe	73
PID 2768 wrote to memory of 2168	2768	Rust AntiCheat.exe	73
PID 2768 wrote to memory of 3804	2768	Rust AntiCheat.exe	74
PID 2768 wrote to memory of 3804	2768	Rust AntiCheat.exe	74
PID 2768 wrote to memory of 428	2768	Rust AntiCheat.exe	75
PID 2768 wrote to memory of 428	2768	Rust AntiCheat.exe	75
PID 428 wrote to memory of 4576	428	Umbral.exe	76
PID 428 wrote to memory of 4576	428	Umbral.exe	76
PID 3804 wrote to memory of 1388	3804	RuntimeBroker.exe	80
PID 3804 wrote to memory of 1388	3804	RuntimeBroker.exe	80
PID 3804 wrote to memory of 3724	3804	RuntimeBroker.exe	83
PID 3804 wrote to memory of 3724	3804	RuntimeBroker.exe	83
PID 3804 wrote to memory of 3344	3804	RuntimeBroker.exe	85
PID 3804 wrote to memory of 3344	3804	RuntimeBroker.exe	85
PID 3804 wrote to memory of 2696	3804	RuntimeBroker.exe	87
PID 3804 wrote to memory of 2696	3804	RuntimeBroker.exe	87
PID 3804 wrote to memory of 4760	3804	RuntimeBroker.exe	89
PID 3804 wrote to memory of 4760	3804	RuntimeBroker.exe	89
PID 3804 wrote to memory of 4580	3804	RuntimeBroker.exe	91
PID 3804 wrote to memory of 4580	3804	RuntimeBroker.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Rust AntiCheat.exe
"C:\Users\Admin\AppData\Local\Temp\Rust AntiCheat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Local\Loader (1).exe
  "C:\Users\Admin\AppData\Local\Loader (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2168
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\RuntimeBroker'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2696
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\Admin\AppData\Local\RuntimeBroker"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4760
- - C:\Windows\SYSTEM32\shutdown.exe
    shutdown.exe /f /s /t 0
    3⤵
    PID:4580
- C:\Users\Admin\AppData\Local\Umbral.exe
  "C:\Users\Admin\AppData\Local\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4576

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aec055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Loader (1).exe

Filesize
827KB

MD5
eefb801774c5ccb44153268a9357f5f1

SHA1
b1906b22e14edd142c52808ab3e5ba9346b85de5

SHA256
677aeb1981c58cba41a5d53ccbbf5b471e62dc49dc326570767da940560d840d

SHA512
1cf162fe6184d68dca514059d2de1123e80d0faac401765a54224aa5a987c9454bc92263fbec566835aa7b402f1f63ba59bb425ccc139e0a7391e66991f270b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e0aab82c47841987b2833b3b64c8d978

SHA1
d6a499ea3e01efac1c1875fb2c55d283c34228b1

SHA256
26018cd429fd26c53b23a086b349dcaf7852c3172014a5e8308c81783122147a

SHA512
dc055a45a22bce799c3424fe88ed6418429a9f90200e5a88a22240bb9dd87e61f019cbb1ca7cbd3fbc6ae2f7346bb05e0a7141000123b533f7f7db5299757ab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e42d496df61c74b44c2e2b9e26f5aaef

SHA1
b9892337b09212e38704b34526453929f5932821

SHA256
24d863df2ab92e097aa7f0ad5b2657a6a316396515bb13049e9e10cabfe528ca

SHA512
a8b26fac98be8100bfe07b0d750a0362be54d5bc639a9c1542982b474f0311b90595276a050749f420dd5bf21edb5e30da36da6399aa58eefd0b8c9ee56da1c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e811e05a7fd8914dc5ec7c45c3a06473

SHA1
8360d548d0845cba99a7ad7bb713dea6c23c8de6

SHA256
4477b1cee83d5dac1e5a0a8b927846adf59a74879bc3fef21dbb6c817baff746

SHA512
0681b382ab713616f64458ca21f9a4cf1b355c9c70a391f7d757424f360802aa59086959574533007e618d3e442f0130edd464cd688e4d7449b97d4681d7728d

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker.exe

Filesize
90KB

MD5
79fef04d806d7916fa1bf6d30358d4de

SHA1
2afb944edcf58c6594c734fbe0c8416b6bc1f447

SHA256
76f2d446e7fc3631f352180c201de9eb139d1acf3daf5dd63fe69502fa253bf1

SHA512
897021db19492ed9cf5ae3d68d840af1f68cf8836b1e5935485e42e569ecf8c95c85fe50b9e25ab13275209ed112906d06ef03a83502a0fa5904e60d3c3dad1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_apxkb33b.eos.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Umbral.exe

Filesize
231KB

MD5
2986f5be729cdf63ccb15a204a46d31b

SHA1
a7a733787f7aa226153d4ff693349cd88fc4a96f

SHA256
9242c3d80edfd477acaac2f7037d8fe77395b31c0c923cd65309df09ce2c8403

SHA512
edbb2cb4731d59e92ccf781d25569efa1a9ecd1df116860673898606d5e208e6c39fd8ab2066c902c542bdd61acc6c204eabad30a0d3f1ead82973005cc037f5

Download Submit
memory/428-18-0x0000027280B40000-0x0000027280B80000-memory.dmp

Filesize
256KB

Download
memory/428-22-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

Filesize
9.9MB

Download
memory/428-26-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

Filesize
9.9MB

Download
memory/1388-31-0x0000015AC74E0000-0x0000015AC7502000-memory.dmp

Filesize
136KB

Download
memory/1388-34-0x0000015ADFC40000-0x0000015ADFCB6000-memory.dmp

Filesize
472KB

Download
memory/2168-25-0x0000000008ED0000-0x0000000008F08000-memory.dmp

Filesize
224KB

Download
memory/2168-20-0x00000000009E0000-0x0000000000AB6000-memory.dmp

Filesize
856KB

Download
memory/2768-0-0x00007FFD0B763000-0x00007FFD0B764000-memory.dmp

Filesize
4KB

Download
memory/2768-1-0x0000000000640000-0x0000000000768000-memory.dmp

Filesize
1.2MB

Download
memory/3804-21-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

Filesize
9.9MB

Download
memory/3804-17-0x0000000000550000-0x000000000056C000-memory.dmp

Filesize
112KB

Download
memory/3804-204-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

Filesize
9.9MB

Download
memory/3804-205-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads